Weekly podcast: Equifax, Facebook and Kaspersky

This week, we discuss the Equifax data breach, a fine for Facebook and a ban for Kaspersky.

Hello and welcome to the IT Governance podcast for Friday, 15 September 2017. Here are this week’s stories.

The obvious place to start is with Equifax, which announced at the end of last week that it had suffered a data breach potentially affecting approximately 143 million US customers’ “names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed”.

The consumer credit reporting agency has established a dedicated website, equifaxsecurity2017.com, to help its US customers, and issued regular progress reports to keep affected parties informed. The latest of these, issued on Wednesday 13 September, revealed how the incident occurred.

According to the AEPD, “Facebook does not inform users in an exhaustive and clear way about the data that will [be collected] and the processing operations that will be carried out”.

The agency also found that “users are not informed that their information will be processed through the use of cookies […] when browsing non-Facebook pages containing the ‘Like’ button” – a situation that also affects people who are not Facebook members, but have visited one of its pages.

Moreover, the social network’s privacy policy “contains generic and unclear terms, and obliges users to access too many different links to get to know it” and the company “inaccurately refers to the use it will make of the data it collects, so that a Facebook user with an average knowledge of the new technologies does not become aware of data collection or storage and subsequent processing, nor for what purpose they will be used”.

Finally, the AEPD found that Facebook doesn’t delete the information it collects from users’ browsing habits. All of these are violations of the Organic Law on Data Protection (LOPD).

You may remember that in March, at a senate hearing into Russian interference in the 2016 US presidential election, the former NSA director Keith Alexander said he wouldn’t trust Kaspersky products. Now, the US Department of Homeland Security has issued a Binding Operational Directive requiring US federal government offices to remove Kaspersky products within 90 days.

According to a statement: “The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

In a statement obtained by Buzzfeed, a Kaspersky spokesperson said: “No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company.”

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Share this:

About The Author

Punctilious about punctuation and scrupulous about syntax, Neil is nevertheless painfully aware of Muphry's Law. He has worked at IT Governance for over five years, writing about all IT governance subjects. He also presents the weekly podcast.